The Security Pub

Random Thoughts About Security

Monthly Archives: June 2010

Safari purged of decade-old browser history leak

Apple Safari has become the first major browser to be purged of one of the web’s longest-running privacy defects: The ability for any site owner to effortlessly steal a complete copy of your recent browsing history.

The browser history disclosure leak is as old as the World Wide Web itself, and it afflicted every major browser – until now. Starting with versions released Monday, Safari no longer coughs up the list of websites a user has visited. The change is one of almost 50 security fixes Apple engineers added to versions 4.1 and 5.0 of the browser.

Check out the article – [The Register]

Bank of America call center worker pleads guilty to data theft

A Bank of America call center employee has pleaded guilty to charges that he stole sensitive client information and then tried to sell it for cash.  Brian Matty Hagen pleaded guilty last week to one count of bank fraud. According to court filings he allegedly recorded customer account information when BofA customers called him for technical support at the Florida call center where he worked.

Check out the article – [IDG News Service]

Fake Facebook Deactivation Email

There are reports that in a spam run that may at first glance appear to be a phishing attempt aimed at getting your login credentials, mailboxes around the world have been filled with an email supposedly coming from “The Facebook Team”. Since the latest changes of Facebook’s security settings have caused quite a stir, and many people did deactivate their accounts, it is obvious that these spammers count on people who haven’t to be worried that their account has been mistakenly deactivated.

Luckily for them, a click on the “Sing In” link in the email does not take them to a phishing site, but to a Canadian Pharmacy site that tries to peddle their wares. Annoying? Yes – but less harmful than phishing.

Still, users should be careful when clicking on links in emails and avoid those in unsolicited emails.

Article is from – [Help Net Security]

A preventative, layered approach to head off sophisticated malware threats

It attacked early in the morning without warning, provocation or even a whiff of foreshadowing. Unnoticed, it stealthily wormed through Beefmaster.com’s network searching for and eventually gaining access to FTP credentials. It then modified countless files, redirecting the site’s visitors’ to malicious Web servers. Incredibly, it was able to hole up for 14 hours undetected while infecting hundreds of visitors’ computers with malware.

Check out the article – [Help Net Security]

Spyware Business No More

The Federal Trade Commission has put the brakes on the business practices of an operation that was selling spyware and showing customers how to remotely install it on other people’s computers without their knowledge or consent.  The FTC is announcing a settlement that bars the sellers of the “RemoteSpy” keylogger from advertising that the spyware can be disguised and installed on someone else’s computer without the owner’s knowledge. It requires that the software provide notice that the program has been downloaded and obtain consent from computer owners before the software can be installed.

Check out the article – [Help Net Security]

Facebook plugs email address indexing bug

Incident-prone social network monolith Facebook has plugged yet another security leak, this time involving the indexing by search engines of email addresses not listed on Facebook.

Thousands of email addresses submitted using Facebook’s “Find a friend” feature that were not tied to a Facebook account wound up getting indexed by Google, according to Blogger Cory Watilo, who was among those affected. The “Find a Friend” feature allows friends to hunt for acquaintances on Facebook by email address, so those exposed have their so-called mates to thank for any exposure.

Check out the article – [The Register]